Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
tinkeruntilitworks
Guest





PostPosted: Fri Jun 05, 2020 20:20    Post subject: Reply with quote
you can use a usb mounted to jffs as well. you have to add a sleep and unbound restart in your startup script though. if not the routers default conf will be used. 2 works for me. test with
Code:
ps | grep unbound

example start up script
Code:
sleep 2
stopservice unbound
startservice unbound

with Changeset 43433 DD-WRT if more than 1 cpu is used so-reuseport: no becomes the default setting. using the default conf it is added automatically. I'm not certain what happens with a custom conf. so for good practice add it to your conf.
Code:
so-reuseport: no

root hints get updated monthly. you shouldn't need to update that often. but every so often is a good idea.
Code:
curl -sS --output /jffs/etc/root.hints https://www.internic.net/domain/named.cache
stopservice unbound
startservice unbound
ps | grep unbound

In the DD-WRT v3.0-r44048 std (08/02/20) build there was an Unbound update. So far I've noticed when Unbound restarts it now prints stats to the system log. You can view them when you want by running the following in command line
Code:
unbound-control stats_noreset

If you add the following to your unbound.conf
Code:
control-enable: yes
control-use-cert: no

For Testing Purposes/Curiosity add the following. It creates a log file and shows a lot of information.
Code:
verbosity: 5
extended-statistics: yes
logfile: "/jffs/etc/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-local-actions: yes
log-servfail: yes
control-enable: yes
control-use-cert: no

*August 17th 2020

an example conf because it seems it matters where they are placed
Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 5
extended-statistics: yes
num-threads: 2
interface: 127.0.0.1@7053
outgoing-range: 462
so-reuseport: no
msg-buffer-size: 8192
msg-cache-size: 1m
msg-cache-slabs: 2
num-queries-per-thread: 30
rrset-cache-size: 2m
rrset-cache-slabs: 2
infra-cache-slabs: 2
infra-cache-numhosts: 200
udp-upstream-without-downstream: yes
access-control: 192.168.1.1/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
logfile: "/jffs/etc/unbound.log"
log-time-ascii: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-local-actions: yes
log-servfail: yes
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-size: 100k
key-cache-slabs: 2
neg-cache-size: 10k
include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
control-enable: yes
control-use-cert: no
forward-zone:
name: "."
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-tls-upstream: yes
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"   
EOF
stopservice unbound
startservice unbound
ps | grep unbound

*August 21st 2020
Thanks Brain Slayer
Sponsor
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Nov 29, 2020 10:34    Post subject: Reply with quote
Here is my custom /jffs/etc/unbound.conf minced with some notes and comments:

History:
Edited 02 Dec 2020
Edited 03 Dec 2020

This is a result of copying others' work without much study. Not recommended. Use the newer one I posted below.
Code:

#
# source: https://0xcb.dev/unbound-recursive-dns-resolver/
#
# curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# > /tmp/blockedhosts grep '^0\.0\.0\.0' /tmp/blockedhosts | awk '{print "local-data: \""$2" A 127.0.0.1\""}'
# > /jffs/etc/blockedhosts.conf
#
# reference: https://calomel.org/unbound_dns.html
#
# /jffs/etc/root.zone came from https://data.iana.org/root-anchors/root-anchors.xml
#
# Trust anchors: https://data.iana.org/root-anchors/
#
# Official root files: https://www.iana.org/domains/root/files
#
# # Default ntp server for process_monitor without DNS: 212.18.3.19
#
server:
interface: 0.0.0.0

do-tcp: yes
do-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
#
username: ""
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
#
verbosity: 1
log-servfail: yes
extended-statistics: yes
#
# reference: https://nlnetlabs.nl/documentation/unbound/howto-anchor/
#
# The unbound-anchor tool provides an initial anchor from builtin values,
# but for real trust you should check this thoroughly.
#
auto-trust-anchor-file: "/etc/unbound/root.key"
root-hints: "/etc/unbound/named.cache"
#
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
# harden-glue: yes
#
minimal-responses: yes
qname-minimisation: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
#
# following parameter disabled TLS
# use-caps-for-id: yes
#
# Performance tuning:
#
num-queries-per-thread: 2048
outgoing-range: 2048
edns-buffer-size: 1472
msg-cache-size: 67108864
rrset-cache-size: 128525653
#
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
#
local-zone: "my_domain.com." static
local-data: "rt-n18u.my_domain.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 rt-n18u.my_domain.com"
#
# for using custom time server name in Time Settings
# local-data: "time.hko.hk IN A 118.143.17.82"
#
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.0.0.1@853#one.one.one.one
  forward-addr: 1.1.1.1@853#one.one.one.one
  forward-addr: 8.8.4.4@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
#
auth-zone:
  name: "."
# https://www.iana.org/domains/root/servers
  master: 192.41.0.4
  master: 199.9.14.201
  master: 192.33.4.12
  master: 199.7.91.13
  master: 192.203.230.10
  master: 192.5.5.241
  fallback-enabled: yes
  for-downstream: no
  for-upstream: yes
#  zonefile: "root.zone"
#  url: "https://www.internic.net/domain/root.zone"
#
# unbound-checkconf unbound.conf
# stopservice unbound
# startservice unbound
# ps | grep unbound
#
# To test DNSSEC:
#
# https://1.1.1.1/help
# https://www.cloudflare.com/ssl/encrypted-sni/
# https://dnssec.vs.uni-due.de/
#
# reference: https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control
# reference: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325167
#
# run unbound-control-setup to generate certs
#
# echo dumping & reloading cache...
# unbound-control dump_cache > $DIR/cache
# echo backing up the dns cache...
# cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak
# cat $DIR/cache | unbound-control load_cache
#
remote-control:
  control-interface: 127.0.0.1
  control-use-cert: no
  control-enable: yes

Some interesting articles:

Unbound recursive DNS resolver - Burns
https://0xcb.dev/unbound-recursive-dns-resolver/

Unbound DNS Tutorial
https://calomel.org/unbound_dns.html

https://tools.ietf.org/html/rfc7958#section-2.1.3

https://www.iana.org/domains/root/files


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw


Last edited by mwchang on Thu Aug 26, 2021 14:09; edited 13 times in total
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sun Nov 29, 2020 14:02    Post subject: Reply with quote
BTW, I found Cloudfare's DNS is relatively slower than Google's DNS.

There's sometimes a very short delay when going to some oversea websites from Hong Kong. Local websites are less affected. Cloudfare did connect my router to its HKG DNS servers.

I didn't benchmark them though using tracert or other tools.... Smile


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Sun Nov 29, 2020 15:02    Post subject: Reply with quote
...

Last edited by itwontbewe on Sat Jan 14, 2023 20:29; edited 105 times in total
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Nov 30, 2020 15:07    Post subject: Reply with quote
itwontbewe wrote:
a couple notes from the op of this thread. i noticed AdGuard DNS has new addresses

and the quad9 no security will do DoT but not DNSSEC so they wont work properly
Code:
forward-addr: 9.9.9.10@853#dns-nosec.quad9.net
forward-addr: 149.112.112.10@853#dns-nosec.quad9.net

From https://www.quad9.net/faq/#Does_Quad9_implement_DNSSEC
Code:

Is there a service that Quad9 offers that does not have the blocklist or other security?

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.

Unsecured IP: 9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet sent. Please use the unsecured secondary address of 149.112.112.10

IPv6: 2620:fe::10, 2620:fe::fe:10

Note: We do not recommend mixing the secure and unsecured IP addresses in the same configuration. Your devices will not be protected 100% of the time and it leads to confusion when debugging potential problems.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 01, 2020 11:06    Post subject: Reply with quote
It seemed that Cloudfare 1.1.1.1 DNSSEC could not hanedle "use-caps-for-id: yes". This parameter affected the test result in http://1.1.1.1/help, notably the entry "Using DNS over TLS (DoT)"! And that test page might not be valid for other DNSSEC servers (Google, Quad9).

Is there a non-Cloudfare-specific DNSSEC server test page? Smile

Also, I have found another method to run Unbound. SO my previous config file might not be simple enough. You don't have to copy/create your own root files and anchors in /jffs/etc/, even the chroot and pid file location might not be necessary.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1146717
Code:
I managed to get this working using unbound from opkg and pointing dnsmasq at it to handle the queries.

unbound -v -c /opt/etc/unbound/unbound.conf

interface 0.0.0.0@53535

dig @127.0.0.1 -p 53535 www.example.com


----- add additional options to DNSMasq on DD-WRT --> Services Web Page -----
no-resolv
server=127.0.0.1#53535

Setup your DHCP static dns to be your DD-WRT IP address.



_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue Dec 01, 2020 15:30    Post subject: Reply with quote
itwontbewe wrote:
yea speeds will very for everyone. i would prefer quad9 but cloudflare is noticeably faster for me right now.

Tonight, I modified unbound.conf to use Quad 1. Cloudfare HKG's DNSSEC was absolutely slow ... it's peak hour, but it's just not smooth.

I have a conspiracy theory: my browsing habbit was too FAST for Cloudfare's intended design (the firewall?). I think Cloudfare tbought I was doing dDOS because I went from site to site too fast... Smile

OK, let me remove all those performance tunning stuff in unbound.conf I copied from others' posts.

Update@03 Dec:

Removing performance tuning stuff didn't solve problem. It seemed the problem was a result of port conflict between dnsmasq and unbound. The dnsmasq settings for use with Unbound I copied from some guides were not 100% correct or incomplete.


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Dec 03, 2020 4:52    Post subject: Reply with quote
I found an interesting article regarding Unbound and DNS over HTTP. It's about unbound 1.8.1 ...

Unbound SNI on DoT
https://forum.turris.cz/t/unbound-sni-on-dot/8292
Code:
In order to provide SNI support on DoT a patch is being provided by unbound master

unbound version bump 1.8.1
https://gitlab.nic.cz/turris/turris-os-packages/-/issues/220#note_87981

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Dec 03, 2020 7:46    Post subject: Reply with quote
One more issue when using Unbound:

If you have:

1. ticked "Ignore WAN DNS" in "WAN Connection Type"
2. un-ticked "Use DNSmasq for DNS"
3. filled in a time server name in Basic-Setup->Time Settings

Then process_monitor has no DNS server to use when setting initial system time during startup. Unbound will refuse to work (but is still loaded) becasue of inaccurate date-time, and hence no DNS service for both WAN and LAN.

You need to blank the custom time server name in Basic Setup->Time Settings, so that process_monitor uses its hard-coded NTP server address "212.18.3.19" (which is pool.ntp.org). Once time is set correctly during startup, unbound works. I heard that iOS is also using a hard-code time server IP address as well!

If you insist to use your own NTP server in Time Settings, insert a local-data record in unbound.conf to resolve that time server name. Alternative, fill in IP address instead of a name in Basic Setup->Time Settings so that DNS server is not needed by process_monitor during startup.

You might argue why ticked "Ignore WAN DNS" in the first place. Well, that guarantees Unbound is the only DNS server in your LAN.

Lastly on user interface:

I don't know whether that Time Settings->"Server IP/Nam" field support IPv6 address. Add a special DNS server entry there?

Maybe it's a good idea to only allow IP addresses in that field? Also, should this field in WEBUI by default displays the hard-coded "212.18.3.19"?

Also, should process_monitor auto-magically falls back to its hard-code NTP server if users fill in wrong values or unreachable server IP/name there, and log an entry in /var/log/messages?


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Dec 07, 2020 15:51    Post subject: Why is Firefox implementing DoH and not DoT? Reply with quote
Source: https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_why-is-firefox-implementing-doh-and-not-dot

Why is Firefox implementing DoH and not DoT?

The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.

DNS over HTTPS - the good, the bad and the ugly
https://archive.fosdem.org/2019/schedule/event/dns_over_http/


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Mon Dec 07, 2020 16:10    Post subject: Reply with quote
New unbound.conf, which enabled port 853. Spent some time checking settings and their effects.

edited: 09 Dec 2020 - use primary in auth-zone, remove prefetch
edited: 10 Dec 2020 - take out root.hints & performance stuff
edited: 11 Dec 2020 - do-not-query-localhost, private-domain
edited: 06 Jan 2021 - misunderstood "primary" option in auth-zone
edited: 26 Aug 2021 - add option "tsl-upstream: yes to "server" section. It's not the same as "ssl-upstream". bugfix for ports and interfaces:
Code:

#
# source: https://0xcb.dev/unbound-recursive-dns-resolver/
#
# curl -sS -L --compressed "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# > /tmp/blockedhosts grep '^0.0.0.0' /tmp/blockedhosts | awk '{print "local-data: ""$2" A 127.0.0.1""}'
# > /jffs/etc/blockedhosts.conf
#
# reference: https://calomel.org/unbound_dns.html
#
# /jffs/etc/root.zone came from https://data.iana.org/root-anchors/root-anchors.xml
#
# Trust anchors: https://data.iana.org/root-anchors/
#
# Official root files: https://www.iana.org/domains/root/files
#
# Default ntp server for process_monitor without DNS: 212.18.3.19
#
# Additional options for dnsmasq:
#
# WAN Setup -> Ignore WAN DNS = Yes
# Network Setup -> Local DNS = 192.168.1.1
# Use DNSMasq for DNS = No
# DHCP-Authoritative = Yes
# Recursive DNS Resolving (Unbound) = Yes
#
# Services -> Dnsmasq:
# Query DNS in Strict Order: Disable
# Additional DNSmasq Options:
#    cache-size=0
#
# Setup -> Time Settings -> Server IP/Name: blank!
#
# The last setting is important when Unbound is
# the only DNS. It affects process_monitor from
# setting the correct time in order for Unbound
# to work. It forces process_monitor to use
# built-in hard-coded setting to get time even
# when DNS server is not available. Better, fill
# in IP address of preferred NTP server instead of domain name!
#
server:
#
# https://nurdletech.com/linux-notes/dns/unbound.html
#
# enable port 853
#
tls-port: 853
interface: 0.0.0.0@853
interface: 0.0.0.0@53

tls-service-key: "/etc/key.pem"
tls-service-pem: "/etc/cert.pem"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
#
outgoing-port-avoid: 0-32767
do-tcp: yes
do-udp: yes
do-ip4: yes
do-ip6: no
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/8 allow
#
username: ""
#
verbosity: 1
log-servfail: yes
log-time-ascii: yes
extended-statistics: yes
logfile: "/var/log/unbound.log"
#
# reference: https://nlnetlabs.nl/documentation/unbound/howto-anchor/
#
# The unbound-anchor tool provides an initial anchor from builtin values,
# but for real trust you should check this thoroughly.
#
auto-trust-anchor-file: "/etc/unbound/root.key"
#
# Since I have auth-zone for ".", no need to use
# root-hints: "/etc/unbound/named.cache"
# And it seemed it's after this way
#
identity: ".."
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
#
minimal-responses: yes
qname-minimisation: yes
#
# not that helpful based on unbound stats
# prefetch: yes
# prefetch-key: yes
#
rrset-roundrobin: yes
ssl-upstream: yes
tsl-upstream: yes
#
# following parameter disabled TLS
# use-caps-for-id: yes
#
# Performance tuning:
#
edns-buffer-size: 1472
#
# For use at your discretion:
#
# num-queries-per-thread: 2048
# outgoing-range: 2048
# msg-cache-size: 67108864
# rrset-cache-size: 128525653
#
# num-threads: 1
# msg-cache-slabs: 1
# rrset-cache-slabs: 1
# infra-cache-slabs: 1
# key-cache-slabs: 1
#
private-domain: "my_domain.com"
domain-insecure: "my_domain.com"
#
# do not use the following line
# do-not-query-localhost: no
#
local-zone: "my_domain.com." static
local-data: "router.my_domain.com. IN A 192.168.1.1"
local-data-ptr: "192.168.1.1 router.my_doamain.com"
#
# for using custom time server name in Time Settings
# local-data: "time.hko.hk IN A 118.143.17.82"
#
forward-zone:
  name: "."
#  forward-first: yes
  forward-tls-upstream: yes
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#one.one.one.one
#
# To test setup using Cloudfare's page,
# comment out following non-Cloudfare servers!
#
  forward-addr: 8.8.4.4@853#dns.google
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
#
auth-zone:
  name: "."
# https://www.iana.org/domains/root/servers
  master: 192.41.0.4
  master: 199.9.14.201
  master: 192.33.4.12
  master: 199.7.91.13
  master: 192.203.230.10
  master: 192.5.5.241
  fallback-enabled: yes
  for-downstream: no
  for-upstream: yes
#
#  zonefile: "root.zone"
#  url: "https://www.internic.net/domain/root.zone"
#
auth-zone:
  name: "my_domain.com"
  for-downstream: yes
  for-upstream: yes
#
# unbound-checkconf unbound.conf
# stopservice unbound
# startservice unbound
# ps | grep unbound
#
# To test DNSSEC:
#
# https://1.1.1.1/help
# https://www.cloudflare.com/ssl/encrypted-sni/
# https://dnssec.vs.uni-due.de/
# openssl s_client -connect 1.1.1.1:853
# openssl s_client -connect localhost:853
#
# reference: https://wiki.archlinux.org/index.php/unbound#Setting_up_unbound-control
# reference: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325167
# reference: https://www.saic.it/how-to-install-and-configure-cache-only-dns-server-with-unbound-in-rhel-centos-7/
#
# run unbound-control-setup to generate certs
#
# echo dumping & reloading cache...
# unbound-control dump_cache > $DIR/cache
# echo backing up the dns cache...
# cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak
# cat $DIR/cache | unbound-control load_cache
#
##!/bin/sh
# mapfile -t NSArray < <(unbound-control dump_cache |  grep -P "IN   NS" | sed '/NSEC/d')
# for (( i=0; i<${#NSArray[@]}; i++ )); do
#   IFS=$'   ' read -r zone ttl ignore2 ignore3 nameserver  <<< "${NSArray[i]}"
#   if [[ $(echo "${zone::-1}" | grep '.') ]]; then
#      echo "${nameserver}"
#   fi
# done
#
# unbound-control stats | grep total
#
remote-control:
  control-interface: 127.0.0.1
  control-use-cert: no
  control-enable: yes


Some interesting articles:

Unbound recursive DNS resolver - Burns
https://0xcb.dev/unbound-recursive-dns-resolver/

Unbound DNS Tutorial
https://calomel.org/unbound_dns.html

https://tools.ietf.org/html/rfc7958#section-2.1.3

https://www.iana.org/domains/root/files


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw


Last edited by mwchang on Thu Nov 18, 2021 6:07; edited 3 times in total
l3g023
DD-WRT Novice


Joined: 27 Sep 2020
Posts: 13

PostPosted: Fri Nov 05, 2021 1:56    Post subject: DoT OK - Netflix NOT Loading Thumbnails - R7800 Reply with quote
Netgrear R7800
Firmware: DD-WRT v3.0-r44863 std (11/24/20)

Hi guys, wondering if anyone knows the cause of this problem.

DoT worked (still does) very well with the only difference that Netflix Thumbnails aren't loading anymore.

Video content actually loads though.

I don't know if it's a problem with Cloudflare or a change from Netflix side.

My setup as per OP in page 1.

Any suggestions?


Code:
mkdir -p /jffs/etc
curl -sS --output /jffs/etc/root.hints https://www.internic.net/domain/named.cache
cp /etc/unbound/root.key /jffs/etc
> /jffs/etc/unbound_dns.conf
> /jffs/etc/blockedhosts.conf
> /jffs/etc/unbound.conf




Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 1
num-threads: 2
interface: 127.0.0.1@7053
port: 7053
outgoing-range: 950
msg-cache-size: 50m
msg-cache-slabs: 1
num-queries-per-thread: 512
rrset-cache-size: 100m
rrset-cache-slabs: 1
infra-cache-slabs: 1
access-control: 127.0.0.0/8 allow
access-control: 192.168.123.61/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
rrset-roundrobin: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-slabs: 1
# Adblock
include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-tls-upstream: yes
# Custom DNS Resolver
include: "/jffs/etc/unbound_dns.conf"
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"
EOF
stopservice unbound
startservice unbound
ps | grep unbound



Code:
cat << EOF > /jffs/etc/unbound_dns.conf
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
EOF
stopservice unbound
startservice unbound
ps | grep unbound
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Fri Nov 05, 2021 14:59    Post subject: Reply with quote
..

Last edited by itwontbewe on Mon Nov 08, 2021 22:16; edited 2 times in total
itwontbewe
DD-WRT User


Joined: 29 Sep 2020
Posts: 260
Location: United States

PostPosted: Fri Nov 05, 2021 15:27    Post subject: Reply with quote
Code:
mkdir -p /jffs/etc
curl -sS --output /jffs/etc/root.hints https://www.internic.net/domain/named.cache
cp /etc/unbound/root.key /jffs/etc
# > /jffs/etc/unbound_dns.conf
# > /jffs/etc/blockedhosts.conf
> /jffs/etc/unbound.conf


if you're not using blocking you dont need to create the > /jffs/etc/blockedhosts.conf file. if you know what dns you want to use you don't need the > /jffs/etc/unbound_dns.conf file. i also now create a new directory for unbound


Code:
cat << EOF > /jffs/etc/unbound.conf
server:
verbosity: 1
num-threads: 2
interface: 127.0.0.1@7053 # i use 0.0.0.0 now
port: 7053
outgoing-range: 950
msg-cache-size: 50m # probably don't need this much
msg-cache-slabs: 1
num-queries-per-thread: 512
rrset-cache-size: 100m # probably don't need this much
rrset-cache-slabs: 1
infra-cache-slabs: 1
access-control: 127.0.0.0/8 allow
access-control: 192.168.123.61/24 allow
chroot: "/jffs/etc"
username: ""
directory: "/jffs/etc"
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/etc/root.hints"
hide-identity: yes
hide-version: yes
# do-not-query-localhost: no # documentation says this is for testing only
rrset-roundrobin: yes
auto-trust-anchor-file: "/jffs/etc/root.key"
key-cache-slabs: 1
# Adblock
# include: "/jffs/etc/blockedhosts.conf"
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com # cloudflare suggests different host names now
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-tls-upstream: yes
# Custom DNS Resolver
# include: "/jffs/etc/unbound_dns.conf"
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone" # i use addresses for this now.
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"
EOF
stopservice unbound
startservice unbound
ps | grep unbound



there are different approaches. mwchang has posted a setup and other users as well. you just have to make sure you are consistent with directories and what not. i'm not the best at explaining things hope i helped at least a little.

possibly other users may speak up as well
l3g023
DD-WRT Novice


Joined: 27 Sep 2020
Posts: 13

PostPosted: Fri Nov 05, 2021 23:32    Post subject: Solved Reply with quote
Hi itwontbewe.

Thanks for your reply. I have just realised that my problem was lying within certain VPN servers (duh!) so it was my VPN provider's fault!


My setup:

Ignore WAN IP (basic setup)
Open VPN
PBR & Kill-Switchhttps://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
SSH via VPN (ssh-rsa key used) https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1218700#1218700
DNS Encryption - DoT https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319860&sid=10e4b5c769102abbd27e3661534bea8e
Adblock https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307533&postdays=0&postorder=asc&start=0

-l3g0
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 4 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum